<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-us" lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta name="DC.Type" content="reference"/>
<meta name="DC.Title" content="New and Noteworthy"/>
<meta name="abstract" content="Here are descriptions of some of the more interesting or significant changes made to Eclipse Memory Analyzer for the 1.12 release."/>
<meta name="description" content="Here are descriptions of some of the more interesting or significant changes made to Eclipse Memory Analyzer for the 1.12 release."/>
<meta name="copyright" content="Copyright (c) 2008, 2021 SAP AG, IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which accompanies this distribution, and is available at https://www.eclipse.org/legal/epl-2.0/ " type="primary"/>
<meta name="DC.Rights.Owner" content="Copyright (c) 2008, 2021 SAP AG, IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which accompanies this distribution, and is available at https://www.eclipse.org/legal/epl-2.0/ " type="primary"/>
<meta name="DC.Format" content="XHTML"/>
<meta name="DC.Identifier" content="ref_noteworthy"/>
<meta name="DC.Language" content="en-us"/>
<link rel="stylesheet" type="text/css" href="styles/commonltr.css"/>
<title>New and Noteworthy</title>
</head>
<body id="ref_noteworthy">


	<h1 class="title topictitle1">New and Noteworthy</h1>

	
	
	<div class="body refbody"><p class="shortdesc">Here are descriptions of some of the more interesting or
		significant changes made to <span class="keyword">Eclipse Memory Analyzer</span> for the 1.12 release.
	</p>

		<div class="section"><h2 class="title sectiontitle">Enhancements and fixes</h2>
			
			<ul class="ul">
			<li class="li">Compressed HPROF dumps created by OpenJDK 15 and later VMs are now read by Memory Analyzer.
			Also, the performance of Memory Analyzer reading HPROF dumps compressed by Gzip has been improved.</li>

			<li class="li">Huge heap dumps can be handled in Memory Analyzer by discarding some of the objects from the heap dump.
			Users of Memory Analyzer can now examine some of those unindexed and discarded objects through the inspector view and OQL.</li>

			<li class="li">The Leaks Suspects Report and the Component Report have been improved with 
			additional sections and details. The reports are now more accessible with a screen reader.</li>

			<li class="li">Other bugs have been fixed. See <a class="xref" href="https://projects.eclipse.org/projects/tools.mat/releases/1.12.0/bugs" target="_blank">Memory Analyzer 1.12 issue list</a>
			</li>

			</ul>

		</div>


		<div class="section"><h2 class="title sectiontitle">Security fixes</h2>
			
			Memory Analyzer 1.12 includes the security fixes first included in Memory Analyzer 1.9.2.
			We highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.12.0 or subsequent versions.
			<dl class="dl">
				
					<dt class="dt dlterm"><a class="xref" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17634" target="_blank">CVE-2019-17634</a></dt>

						<dd class="dd"><dl class="dl">
							
								<dt class="dt dlterm">PROBLEMTYPE</dt>

								<dd class="dd">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</dd>

							
							
								<dt class="dt dlterm">DESCRIPTION</dt>

								<dd class="dd">Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose to download, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present when a report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system when the report is opened in Memory Analyzer.</dd>

							
						</dl>
</dd>

				
				
					<dt class="dt dlterm"><a class="xref" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17635" target="_blank">CVE-2019-17635</a></dt>

						<dd class="dd"><dl class="dl">
							
								<dt class="dt dlterm">PROBLEMTYPE</dt>

								<dd class="dd">CWE-502: Deserialization of Untrusted Data</dd>

							
							
								<dt class="dt dlterm">DESCRIPTION</dt>

								<dd class="dd">Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.</dd>

							
						</dl>
</dd>

				
			</dl>

			The stand-alone Memory Analyzer 1.12 also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
			<dl class="dl">
				
					<dt class="dt dlterm"><a class="xref" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27225" target="_blank">CVE-2020-27225</a></dt>

						<dd class="dd"><dl class="dl">
							
								<dt class="dt dlterm">PROBLEMTYPE</dt>

								<dd class="dd">CWE-306: Missing Authentication for Critical Function</dd>

							
							
								<dt class="dt dlterm">DESCRIPTION</dt>

								<dd class="dd">In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests 
								to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated 
								Eclipse Platform process or Eclipse Rich Client Platform process.</dd>

							
						</dl>
</dd>

				
			</dl>

		</div>

		<div class="section"><h2 class="title sectiontitle">New and Noteworthy for Memory Analyzer 1.12</h2>
			
			<p class="p">
				The latest New and Noteworthy document for version 1.12 is available 
				<a class="xref" href="http://www.eclipse.org/mat/1.12.0/noteworthy.html">here</a>.
			</p>

		</div>

		<div class="section"><h2 class="title sectiontitle">New and Noteworthy for Memory Analyzer 1.11</h2>
			
			<p class="p">
				The New and Noteworthy document for version 1.11 is available 
				<a class="xref" href="http://www.eclipse.org/mat/1.11.0/noteworthy.html">here</a>.
			</p>

		</div>

	</div>


</body>
</html>